Friday, March 6, 2015

Similar to the "System Idle Process" and the "System" process, smss.exe, wininit.exe, services.exe, winlogon.exe, csrss.exe are some one of the other critical processes to be aware of
on Windows systems. Many times, malicious processes will have the same
or similar names as legitimate processes, so it's important that we are
able to differentiate between what's legit and what's not legit.

Session Manager Subsystem (smss.exe)

- Initiated by System PID 4 - Parent should be marked as "System" with PID 4 - In contrast to the "System Idle Process" and the "System" processes, this actually points to a valid executable - C:\Windows\System32\smss.exe - First user mode process created - Responsible for starting user sessions - Should have only 1 active copy once the system has initialized

- created by wininit.exe - used for interacting with services - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\services.exe

Windows Logon (winlogon.exe)

- created by wininit.exe - used for interactive logons and logoff - Works in conjunction with credential providers - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\winlogon.exe

Why does all of this matters? Thought you would never ask ... Being able to identify processes in general will be helpful in determining what you investigate. However, knowing what is critical and their characteristics can make your investigation process much easier.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis